Securing your Community
Submitted Collin S. , Mar 14 2011 03:57 PM | Last updated Nov 04 2012 10:12 AM
IPS software contains many built-in security systems to keep your community as secure as it can be. However, there are many additional steps you can take to ensure the security of your community.
Choosing a secure password
Without a doubt, the leading cause of compromised accounts is due to a poor password. Always try to use mixed case and include a number or symbol.
Account Locking
IP.Board includes a built-in tool to lock out accounts after a certain number of incorrect password attempts. This feature is a great tool to prevent brute force attempts from gaining access to a member's account.
This feature can be configured under the Brute-force Account Locking section of the Security and Privacy settings. On a relatively high-security community, you can also configure the software to not automatically unlock accounts after the given time. This requires an administrator to manually unlock accounts, and could potentially detect a pattern in accounts being brute forced. In general, IPS recommends allowing automatic unlock to reduce the burden on the administrator.
Disabling Flash
Flash can sometimes be used to open exploits in a user's browser or version of flash. Although allowing flash is relatively harmless in most communities, to achieve a higher level of security, you can disable flash (.swf) from being embedded into your community via the media BBcode tag. You can disable .swf flash files from being embedded in the Manage Media Tag section of your AdminCP, under Look & Feel.
Disabling Embedded HTML
Along with disabling flash, you can also disable or enable the posting of raw HTML code to your forums. This permission is set on a group by group basis, allowing you to, for example, trust Administrators with posting HTML, but not regular members.
Admin Directory Protection
You can add an additional layer of security to your AdminCP login by securing it with .htaccess protection (or similar functionality depending on your web server). This feature will create a dialog prompt asking for a password in addition to the regular IP.Board AdminCP login. Using the same password for the dialog prompt as you do the forums defeats the purpose of this password. For best results, use a totally random string and change it regularly if shared with other Admins.
Directory-level password protection, be it with .htaccess or another method, is a function of your web server and cannot be setup directly inside IP.Board.
Moving and Renaming the /admin directory
IP.Board has a dedicated directory for the administration center. To further enhance security, you can rename this AdminCP directory. This is a more advanced user option so please only proceed if you are comfortable.
You can rename the directory on your web server using FTP or a similar function. Once you do, you will need to create a new file, call it constants.php, and you will need to add the following contents to this file:
Save and upload the file to your server. Your AdminCP directory has now been renamed and should be upgrade proof.
Choosing a secure password
Without a doubt, the leading cause of compromised accounts is due to a poor password. Always try to use mixed case and include a number or symbol.
Account Locking
IP.Board includes a built-in tool to lock out accounts after a certain number of incorrect password attempts. This feature is a great tool to prevent brute force attempts from gaining access to a member's account.
This feature can be configured under the Brute-force Account Locking section of the Security and Privacy settings. On a relatively high-security community, you can also configure the software to not automatically unlock accounts after the given time. This requires an administrator to manually unlock accounts, and could potentially detect a pattern in accounts being brute forced. In general, IPS recommends allowing automatic unlock to reduce the burden on the administrator.
Disabling Flash
Flash can sometimes be used to open exploits in a user's browser or version of flash. Although allowing flash is relatively harmless in most communities, to achieve a higher level of security, you can disable flash (.swf) from being embedded into your community via the media BBcode tag. You can disable .swf flash files from being embedded in the Manage Media Tag section of your AdminCP, under Look & Feel.
Disabling Embedded HTML
Along with disabling flash, you can also disable or enable the posting of raw HTML code to your forums. This permission is set on a group by group basis, allowing you to, for example, trust Administrators with posting HTML, but not regular members.
IPS highly recommends you do not enable HTML posting in your community as it is a large security risk. By default, IPS software ships with HTML posting disabled.
Admin Directory Protection
You can add an additional layer of security to your AdminCP login by securing it with .htaccess protection (or similar functionality depending on your web server). This feature will create a dialog prompt asking for a password in addition to the regular IP.Board AdminCP login. Using the same password for the dialog prompt as you do the forums defeats the purpose of this password. For best results, use a totally random string and change it regularly if shared with other Admins.
Directory-level password protection, be it with .htaccess or another method, is a function of your web server and cannot be setup directly inside IP.Board.
Moving and Renaming the /admin directory
IP.Board has a dedicated directory for the administration center. To further enhance security, you can rename this AdminCP directory. This is a more advanced user option so please only proceed if you are comfortable.
You can rename the directory on your web server using FTP or a similar function. Once you do, you will need to create a new file, call it constants.php, and you will need to add the following contents to this file:
<?php define( 'CP_DIRECTORY', 'admin_secret' );
Save and upload the file to your server. Your AdminCP directory has now been renamed and should be upgrade proof.
To read more about constants.php and what you can achieve with it, please read the following article: Preserving initdata.php Options
It is very important that when accessing technical support for your community, you inform our technicians of any renamed admin directories or extra password protection that your community uses. This will speed up your response time and ensure that we are able to properly help you. You are able to save your login information in your client center.
- DreadfulGlory, Mikey B and sara95 like this
0 Comments